grand stream dreams: ForSec News SuperPost

I’m really embarrassed I let this collection of ForSec posts grow this large. There really aren’t any good excuses.

Honestly.

If it were any other weekend, I might take the time to break them down into a series of smaller posts, but the weather is super-nice after our recent Gulf-Coast hard-freeze and I really want to get outside and play for a bit.

So either set aside a lot of time before you get started, get a nice beverage handy, or just bookmark the monster that it is and come back when the weather outside is frightful.

Seriously, it’s that big but the material posted is also that good.

Warm Up Exercises

Practical Cyber Security Training Techniques for New IT Support Employees - (PDF link) - SANS Reading Room paper.

(IN)SECURE Magazine - Issue 40 (December 2013) Released including topics

Testing anti-malware products
Using Tshark for malware detection
5 questions for the head of a malware research team
Malware analysis on a shoestring budget
Report: Virus Bulletin 2013
Digital ship pirates: Researchers crack vessel tracking system
Exploring the challenges of malware analysis
Evading file-based sandboxes

Doing things faster - Hexacorn blog - nice summary of personal tools and techniques used to improve your IT workflow.

Hacked Via RDP: Really Dumb Passwords — Krebs on Security

All About the Windows AutoRun

The ISC Diary has been running a series of posts on Windows auto-run techniques.

These reminded me of a very long-running series of related (and highly-detailed) posts over at the Hexacorn blog that started back in 2012 with the most recent (Part 6) posted yesterday.

Well worth bookmarking for reading and refreshing.

Blog Posts from the Forensic Experts

Holidays and crazy winter weather hasn’t slowed the blogging production of these masters of the forsec world.

Tools, Malware, and more conference follow-up - Windows Incident Response blog
Sniper Forensics, Memory Analysis, and Malware Detection - Windows Incident Response blog
Links and News - Windows Incident Response blog
Updates - Windows Incident Response blog
Shellbags - Windows Incident Response blog
Quick Post - Windows Incident Response blog

Speaking of RegRipper…

Moving down the road a bit

Linkz for Incident Response - Journey Into Incident Response blog
Revealing Program Compatibility Assistant HKCU AppCompatFlags Registry Keys - Journey Into Incident Response blog - This post was particularly timely as we are moving our enterprise platform for desktop users (finally) away from Windows XP and over to Windows 7. As such, we are now having to run many legacy applications under “Compatibility Mode” settings. As more Windows users move away from XP, I suspect these keys will become more important for incident responders.
Revealing the RecentFileCache.bcf File - Journey Into Incident Response blog

And over in the factory

Apple Safari update and fsCachedData - Forensics from the sausage factory blog

And one last interesting post…

Old School techniques to hide from modern-day timelines - Computer Forensics, Malware Analysis & Digital Investigations blog

Case Studies

Sharpen your saw on these fascinating breakdowns of malware and incident responses.

The Case of an Obscure Injection - SpiderLabs Anterior blog
Trust for Sale - SpiderLabs Anterior blog
The story of a Trojan Dropper I - Zscaler Research blog
The story of a Trojan dropper II
The Story of a Trojan Dropper III
The Windows 7 Event Log and USB Device Tracking -Digital Forensics Stream blog
Malware and the Self-Deleting Batch File Method - Journey Into Incident Response blog
64-bit ZBOT Leverages Tor, Improves Evasion Techniques - Security Intelligence Blog
Volatility 2.3 and FireEye's diskless, memory-only Trojan.APT.9002 - HolisticInfoSec blog
Acquiring Memory Images with Dumpit - ISC Diary
Malicious advertisements served via Yahoo - Fox-IT International blog
Malware served via Yahoo affected millions - HitmanPro blog

Speaking of malware analysis, I recently found a new (to me) blog that has some great analysis posts.

Malware Must Die! blog

The posts are quite detailed and richly illustrated. Definitely worth checking out and adding to your RSS feed pile as I have done.

Meanwhile, over at the Open Security Research blog, a new series has been started on using the debugging tool WinDBG.

Getting Started with WinDBG - Part 1- Installation, Interface, Symbols, Remote/Local Debugging, Help, Modules, and Registers
Getting Started with WinDBG - Part 2 - Breakpoints
Getting Started with WinDBG - Part 3 - Inspecting Memory, Stepping Through Programs, and General Tips and Tricks

WinFE News

Thesis on WinFE, shared by Alex Van Ginkel - Windows Forensic Environment blog
Natural Progression for New Users of WinFE - Windows Forensic Environment blog
Integrated Scripts to WinFE - Windows Forensic Environment blog

It has been forever since I last built my WinFE. I’m hoping to update it by walking through a fresh build in the next month or so. Brett Shaver’s blog site is rich with great tips and tools and documentation that makes rolling your own (stock or custom) WinFE package a piece of cake.

More ForSec LiveCD News

Back when I started blogging a lifetime ago, there were really just less than a single handful of useful forensic-focused LiveCD builds available. Most have disappeared but luckily a wealth of others sprung up to take their place. It’s all I can to do to stay on top of all the updates and releases of my favorites.

Xplico – Xplico 1.1.0 - new build released December 27th, 2013. Download
DEFT 2014 – News - DEFT Linux - New version 8.1 expected out in April 2014
Kali Linux 1.0.6 Released - Kali Linux - Downloads.

Hackage & Pwnage (and other almost depressing news of late for consumers and from the thin front line)

Like about most every American, we woke up to very bad news around Christmastime with the announcement that Target had been seriously breached. The post-mortem work appears to be silently continuing but the news has been saturated with corporate data and account breaches lately. We are still waiting for our replacement cards to come in. What a drag but small price to pay. It seem like things are getting worse, but what is discouraging is that these are probably the only ones main-stream media is focusing on and people are paying attention to. These smaller breaches occur daily at businesses large and small. My only hope is that not only will excellent forensic analysis lead to applicable lessons learned to improve things (if actually deployed) but that the public will understand the sharper and narrower razor’s edge we seem to be walking down with our personal data and the dependency of data security. Of course this whole “NSA” backdrop is another fine mess but I’ll leave that for another day.

First the bad news recorded here for posterity.

Two million stolen Facebook, Twitter, Yahoo, ADP passwords found on Pony Botnet server - ZDNet
Hacker database exposed; thousands of stolen Facebook, Twitter, Google passwords found -ZDNet
Found: hacker server storing two million pilfered passwords - Ars Technica
Large Pony botnet controller discovered - Help Net Security
Look What I Found: Moar Pony! - SpiderLabs Anterior blog

And woe the consumer…

Target: Names, Emails, Phone Numbers on Up To 70 Million Customers Stolen — Krebs on Security
Target Confirms PIN Data Also Stolen In Credit/Debit Card Hack – Consumerist
Who’s Selling Credit Cards from Target? — Krebs on Security
Hackers also pilfered personal data on 70 million Target customers - Ars Technica
Target hack actually affects 70 million -- phone numbers, email addresses and more stolen - BetaNews
Target Data Breach Possibly 110 Million, May Include People Who Didn’t Shop During Holidays – Consumerist
The Perils of Plastic: The Problems With Debit And Credit Cards Are Deeper Than We Thought – ReadWrite
Hackers Steal Card Data from Neiman Marcus — Krebs on Security

…and what about those SnapChat users?

To what extent is an organisation liable when they get security wrong? - Troy Hunt’s blog - really good post as it shows how easy it could be to associate a leaked SnapChat account information with a real personal identity.
Snapchat blames feature 'abuse' for phone number and username leak, issues no apology - Beta News
at least until now…Snapchat - Find Friends Improvements
Greyhats expose 4.5 million Snapchat phone numbers using “theoretical” hack (updated) - Ars Technica
Predictably, Snapchat user database maliciously exposed - ZDNet
Researchers publish Snapchat code allowing phone number matching after exploit disclosures ignored - ZDNet

Of course if you try to do the right thing…expect possible whack-a-mole response to your head…

Talk about frustrating…

Have I been pwned?

Meanwhile, leave it to an Aussie to continue to fight the good fight for consumer security.

Have I been pwned? - Check if your email has been compromised in a data breach

It’s not only a great way to stay personally informed about any security breaches but it’s a good way to show non-technical family and friends this really does impact them. Family and friends may shake their heads at the news stories, but when you have them type one of their email addresses into here and it (unfortunately) shows up…it becomes much more personal.

A few odds-and-ends in closing…

Just some odds and ends I’ve found these past weeks

Avira PC Cleaner – a second opinion scanner - Avira – TechBlog. Spotted via this BetaNews blog post, Avira reveals stand-alone Avira PC Cleaner.

FBCacheView - NirSoft - Shows Facebook images stored in the cache of your Web browser

Security Essentials for Windows XP will die when the OS does - Ars Technica - Really? Like anybody was surprised by this news.

Cheers!

--Claus Valca

grand stream dreams

Saturday, January 11, 2014

ForSec News SuperPost

No comments: